From 70a45cb6237e4ad1be3a0e33bf6b898895452c28 Mon Sep 17 00:00:00 2001 From: David Svantesson Date: Sun, 18 Aug 2019 14:22:39 +0000 Subject: [PATCH 1/2] Allow token as authorization for accessing attachments Signed-off-by: David Svantesson --- modules/auth/auth.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/auth/auth.go b/modules/auth/auth.go index 1013628073a4e..54cf358334612 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -29,6 +29,11 @@ func IsAPIPath(url string) bool { return strings.HasPrefix(url, "/api/") } +// IsAttachmentPath if URL is a path to an attachment +func IsAttachmentPath(url string) bool { + return strings.HasPrefix(url, "/attachments/") +} + // SignedInID returns the id of signed in user. func SignedInID(ctx *macaron.Context, sess session.Store) int64 { if !models.HasEngine { @@ -36,7 +41,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { } // Check access token. - if IsAPIPath(ctx.Req.URL.Path) { + if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentPath(ctx.Req.URL.Path) { tokenSHA := ctx.Query("token") if len(tokenSHA) == 0 { tokenSHA = ctx.Query("access_token") From c46585f388d1b1d3691f2f68fcf0594b47cbd43f Mon Sep 17 00:00:00 2001 From: David Svantesson Date: Tue, 20 Aug 2019 21:33:10 +0000 Subject: [PATCH 2/2] Only allow token authentication for attachments if it is a download (GET) --- modules/auth/auth.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/auth/auth.go b/modules/auth/auth.go index 54cf358334612..0ee73ea80d7c3 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -29,9 +29,9 @@ func IsAPIPath(url string) bool { return strings.HasPrefix(url, "/api/") } -// IsAttachmentPath if URL is a path to an attachment -func IsAttachmentPath(url string) bool { - return strings.HasPrefix(url, "/attachments/") +// IsAttachmentDownload check if request is a file download (GET) with URL to an attachment +func IsAttachmentDownload(ctx *macaron.Context) bool { + return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET" } // SignedInID returns the id of signed in user. @@ -41,7 +41,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { } // Check access token. - if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentPath(ctx.Req.URL.Path) { + if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentDownload(ctx) { tokenSHA := ctx.Query("token") if len(tokenSHA) == 0 { tokenSHA = ctx.Query("access_token")